---
icon: gear
title: Configuration Options
description: Using environment variable to configure a self-hosted instance of Rallly.
---

## General

<ParamField path="NEXT_PUBLIC_BASE_URL" required>
  The base url where this instance is accessible, including the scheme (eg.
  `http://` or `https://`), the domain name, and optionally a port.
</ParamField>

<ParamField path="SECRET_PASSWORD" required>
  A random 32-character secret key used to encrypt user sessions
</ParamField>

<ParamField path="SUPPORT_EMAIL" required>
  This email will be shown as the contact email for support queries.
</ParamField>

<ParamField path="NOREPLY_EMAIL">
  This email is used as the sender for all transactional emails. If not set,
  `SUPPORT_EMAIL` will be used instead.
</ParamField>

<ParamField path="NOREPLY_EMAIL_NAME" default="Rallly">
  This name is used as the sender name for all transactional emails.
</ParamField>

<ParamField path="INITIAL_ADMIN_EMAIL">
  Specifies the email address of the first user who will be eligible to become an administrator. After the application starts, the user with this email address must navigate to `/control-panel` and click a button to claim their admin role.
</ParamField>


## Database

<ParamField path="DATABASE_URL" required>
  Postgres database connection string
</ParamField>

## Email (SMTP)

<ParamField path="SMTP_HOST">The host address of your SMTP server</ParamField>

<ParamField path="SMTP_PORT">
  The port of your SMTP server. Common values: 587 (STARTTLS), 465 (SSL), 25 (plain).
</ParamField>

<ParamField path="SMTP_SECURE" default="false">
  Set to "true" if SSL is enabled for your SMTP connection (typically for port 465)
</ParamField>

<ParamField path="SMTP_USER" default="">
  The username (if auth is enabled on your SMTP server)
</ParamField>

<ParamField path="SMTP_PWD" default="">
  The password (if auth is enabled on your SMTP server)
</ParamField>

<ParamField path="SMTP_REJECT_UNAUTHORIZED" default="true">
  Validate TLS certificates. Set to `false` to ignore certificate errors (useful for self-signed certificates, not recommended for production)
  
  <Note>This option is only available from v4.4.0 and later.</Note>
</ParamField>

<ParamField path="SMTP_TLS_ENABLED">
  <Warning>Deprecated: Use `SMTP_REJECT_UNAUTHORIZED=false` to disable certificate validation</Warning>
  Legacy option that is no longer used
</ParamField>

## Auth

<ParamField path="EMAIL_LOGIN_ENABLED" default="true">
  Set to "false" to disable email-based login (magic link authentication).
  When disabled, users can only authenticate via configured OAuth providers
  (Google, Microsoft, OIDC) and user registration is automatically disabled.
  
  <Note>This option is only available from v4.4.0 and later.</Note>
</ParamField>

<ParamField path="REGISTRATION_ENABLED" default="true">
  Set to "false" to disable user registration globally. This environment variable
  takes precedence over the database setting configured via the admin UI.
  Registration requires email login to be enabled.
  
  <Note>This option is only available from v4.4.0 and later.</Note>
</ParamField>

<ParamField path="ALLOWED_EMAILS">
  Comma separated list of email addresses that are allowed to register and
  login. Wildcard characters are supported. Example: Setting it to
  `*@example.com` to allow anyone with a `@example.com` email address.
</ParamField>

### Google

<Accordion title="Setup">
1. Head over to the Credentials tab: https://console.developers.google.com/apis/credentials

2. Create a OAuth client ID. This will be your `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET`

3. Set "Authorized redirect URIs" to include your full domain and end in the callback path:

```
https://<YOUR_DOMAIN>/api/auth/callback/google
```
</Accordion>

<ParamField path="GOOGLE_CLIENT_ID">
  The client ID of your Google application
</ParamField>

<ParamField path="GOOGLE_CLIENT_SECRET">
  The client secret of your Google application
</ParamField>

### Microsoft

<Accordion title="Setup">
Follow the instructions here to create a Microsoft Entra ID application: https://docs.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

After creating the application, set the redirect URI to include your full domain and end in the callback path:

```
https://<YOUR_DOMAIN>/api/auth/callback/microsoft-entra-id
```
</Accordion>

<ParamField path="MICROSOFT_TENANT_ID">
  The tenant ID of your Microsoft application
</ParamField>

<ParamField path="MICROSOFT_CLIENT_ID">
  The client ID of your Microsoft application
</ParamField>

<ParamField path="MICROSOFT_CLIENT_SECRET">
  The client secret of your Microsoft application
</ParamField>

### Custom SSO (OIDC)

The following must be set for OIDC to work:

- `OIDC_DISCOVERY_URL`
- `OIDC_CLIENT_ID`
- `OIDC_CLIENT_SECRET`

<Accordion title="Setup">
Your OAuth 2.0 application needs to be configured with the following scopes:

- `openid`: Essential for OIDC to function, used to perform authentication.
- `profile`: Access to the user's personal information such as name and picture.
- `email`: Access to the user's email address.

Your identity provider should redirect the user back to the following URL:

```
https://<YOUR-DOMAIN>/api/auth/callback/oidc
```
</Accordion>

<ParamField path="OIDC_NAME" default="OpenID Connect">
  The display name of your provider as it will be shown on the login page
</ParamField>

<ParamField path="OIDC_DISCOVERY_URL">
  URL of the `.well-known/openid-configuration` endpoint for your OIDC provider
</ParamField>

<ParamField path="OIDC_ISSUER_URL">
  <Warning>Deprecated from v4.5.0: This option is no longer used.</Warning>
  URL of the issuer for your OIDC provider. You can get this from your OpenId
  Configuration endpoint.
</ParamField>

<ParamField path="OIDC_CLIENT_ID">
  The client ID of your OIDC application
</ParamField>

<ParamField path="OIDC_CLIENT_SECRET">
  The client secret of your OIDC application
</ParamField>

<ParamField path="OIDC_NAME_CLAIM_PATH" default="name">
  The path to the claim that contains the user's name
</ParamField>

<ParamField path="OIDC_EMAIL_CLAIM_PATH" default="email">
  The path to the claim that contains the user's email address
</ParamField>

<ParamField path="OIDC_PICTURE_CLAIM_PATH" default="picture">
  The path to the claim that contains the user's profile picture
</ParamField>

<Info>Use dot notation in `_CLAIM_PATH` fields to access nested objects.</Info>

## Storage (S3)

Storage configuration is optional but required to enable features like user avatar uploads.
For self-hosted deployments, [MinIO](https://min.io/) is the recommended S3-compatible storage solution. Alternatively, you can use cloud services like [AWS S3](https://aws.amazon.com/s3/), [DigitalOcean Spaces](https://www.digitalocean.com/products/spaces), or [Cloudflare R2](https://www.cloudflare.com/developer-platform/r2/).

<ParamField path="S3_BUCKET_NAME">
  The name of your S3 bucket
</ParamField>

<ParamField path="S3_ACCESS_KEY_ID">
  The access key ID of your S3 server
</ParamField>

<ParamField path="S3_SECRET_ACCESS_KEY">
  The secret access key of your S3 server
</ParamField>

<ParamField path="S3_REGION">
  The region of your S3 server
</ParamField>

<ParamField path="S3_ENDPOINT">
  The endpoint of your S3 server. Can be left empty if using AWS S3.
</ParamField>